On Wed, Jan 25, 2017 at 08:23:07AM -0700, Thomas Fjellstrom wrote: > Hi. > > I'm having a minor problem setting up shorewall to properly route and allow > openvpn traffic through my firewall. > > I'd like the openvpn client to be running on the firewall, and allow local > machines to connect to and communicate with the private subnet on the other > side of the vpn, but not allow new traffic from the other side into my lan. > > So far I have traffic that is getting sent out my public connection to the > openvpn server, but nothing comes back according to `tcpdump -i extIF host > VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked. > policy is set up to log on the final DROP and REJECT rules. >
Hi Thomas, What you are describing sounds like a three interface setup. There is a HOWTO here: http://shorewall.net/three-interface.htm You will have local and net zones like in the HOWTO. The main difference is that instead of a DMZ zone you will have a VPN zone, which it sounds like you want to treat sort of like a net zone (traffic is OK to go from your local network to that zone, but not the other way around). It should be just a matter of ensuring you have forwarding (I assume you do or you would have other problems), the right policy (loc -> vpn == OK), and possibly masquerading (depending on the address ranges involved). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users